A new study has identified security vulnerabilities in five of the most popular password managers.
Now, some counter-intuitive tips: I still think you should use a password manager. The same goes for the hackers responsible for the independent security assessors who came to talk to me about the flaws – and other security professionals with whom I talked about the study released Tuesday. You would not stop using a seat belt because it could not protect you from all types of vehicle accidents. The same applies to password managers.
But the research, which reveals that password manager users are vulnerable to targeted malware attacks, highlights ways to strengthen our defenses. And that reveals a bigger truth that gets lost in the headlines about the breaches and the bugs: online security is not about being indecipherable; it's about not being the lowest fruit.
Password managers are programs that keep all your login information in an online vault. These are essential tools for staying safe, because the most annoying thing about the Internet – passwords – causes people to make the # 1 security error – the reuse of passwords. Hackers know we're doing it, so they take passwords from a hacked site and then try them on a lot of others. Using a program to keep track of all your unique passwords requires some tweaking, but they are becoming simpler and can speed up logon. (See my recommendations here.)
The question that haunts these programs is: how can you safely put all your passwords in one basket? If someone steals it, you are watered.
For reasons of accountability, audits like the new one done by ISE are important. Windows 10 applications for 1Password, Dashlane, KeePass, LastPass, and RoboForm left passwords exposed in the computer's memory when applications were in "locked" mode. For a hacker with access to the PC, passwords that should have been hidden were no more secure than a text file on your computer's desktop. (The researchers looked only at Windows applications, but claim that it could also affect Apple Macs and mobile operating systems.)
1Password, LastPass and Roboform have even exposed the main passwords, used to unlock all your other passwords. "The button" lock down "password managers is broken – some more severely than others," said lead researcher Adrian Bednarek.
The companies had a range of answers. LastPass and RoboForm have announced that they will release updates this week. Dashlane said that he had been documenting the problem for some time and was working on patches, but that it posed more significant security issues. KeePass and 1Password considered it a known limitation of Windows and an accepted risk.
Casey Ellis, the founder of Bugcrowd, a site allowing researchers to report vulnerabilities, said companies had to weigh the risk of each bug discovered and determine priorities. "Password companies respect the highest security standards and people should be able to sleep well at night, knowing that these companies take the concerns seriously," he said. "Vulnerabilities are not mysterious – they result from people not being perfect – and finding them is a good thing."
Why is not it a problem of pants on fire? Because for now, we are ahead of the threat. There is no evidence that hackers target the computers of individual password manager users. The question is: how long will it last?
The risk is relative
Yes, it is risky to store all your passwords in one place with a password manager. But it is useful to consider the risk as a hacker: there is no "safe" and "unsafe" solution. .
Assuming that the bunker is not an option for you, your choices are: reuse passwords or trust a password manager.
The latter would certainly not be safer if password management companies were simultaneously exposing millions of passwords through server violations. Companies encrypt our secrets and do not store our master passwords used to unlock encryption. If their servers are hacked, the data is gobbledygook without the master password that only every user knows. (So choose a single master password, never share it with anyone, and do not forget it.)
The bug found by ISE poses a different type of risk: passwords are exposed in the PC memory of individual users. Any exhibition "unnecessarily endangers the secret files of the users", writes Bednarek in his report. But this discovery is far from being close to our worst scenario. To scan the memory of your PC, a hacker will probably have to either sit in front of your computer, or get you to install malware controlling your computer.
Hackers generally prefer mass attacks than attacks on individuals, unless it is an extremely valuable individual. When it comes to mass attacks, there is a lot of work easier, like all those who still use passwords.
Bednarek's concern: As more and more people use password managers, malware makers could start targeting their computers to steal passwords. Multiplied by millions of password manager users, a low risk for the individual could generate a large number of passwords exposed. He says his goal is "to establish a reasonable minimum baseline that all password managers should adhere to".
The companies said that the malware was not a risk only for password manager users. A hacker with access to your computer can also use code, such as a key logger that slows down all your activity. At this point, using a password manager is not your only problem.
Businesses and researchers also do not agree that they can deal with the problem of memory leaks without making fundamental changes to the operating systems. Dashlane Executive Director Emmanuel Schalit said that local memory attacks are still a hypothetical concern. "It is more important for us to further strengthen the critical components of our server infrastructure or cryptographic system, as this has a greater impact on the security of our users," he said.
Strengthen the defenses
Both parties are in agreement on one point: your personal devices are the weakest link. It's much harder for a password manager – or any software – to protect your valuable data if the computer you're working on is compromised.
So make sure you do not deserve piracy by:
- Update your software religiously. The new versions contain very important security patches.
- Verifying your malware on your computer. I recommend Malwarebytes for Windows and MacOS.
- Be very careful when installing software from countries other than Microsoft, Apple, and Google Managed Application Stores. Say no to web browser extensions and pop-up messages.
- Do not store extremely valuable secrets such as private bitcoin keys in password managers.
The other lesson learned from the new research is how password managers handled the problem. "They are not all created equal," Bednarek said. Dashlane and KeePass did their best to protect the main passwords in the computer's memory. Dashlane remains my first choice password manager for consumers, although it is also the most expensive.
I also learned how seriously they had reacted to ISE when Bednarek had contacted them – and myself during my follow-up. KeePass dismissed this information as old news and RoboForm had little to say. Dashlane put me on the phone with his CEO. The chief defender of 1Password against the forces of evil has sent me long emails. LastPass asked me to speak to his technical superior – but Bednarek was also banned on Bugcrowd, the site on which researchers can report faults, as he revealed the bug.
Troy Hunt, a security expert who manages the compromised password database Haveibeenpwned.com, says password managers need to be as resilient as possible. "If the result is that password managers have an impact on their security, then that's a good thing," he said. "As long as it does not scare their users."
Read more technical advice and analysis from Geoffrey A. Fowler:
Are Apple products too expensive?
Touch my data! 15 default privacy settings that you must edit now.
First and foremost Marie Kondo, try the cloud